Skip to content

Commit

Permalink
[OIS] Add PSA crypto backend support (#27387)
Browse files Browse the repository at this point in the history
This commit allows the selection of PSA as the cryptographic
algorithm used when building Matter CryptoPAL with the Open
IoT SDK.
The GitHub CI workflow for the SDK examples/unit tests has been
updated to building and tesitng the lock-app example and unit-tests
with both mbedtls and psa cryptographic algorithms.

Add call to psa_crypto_init()

The Matter PSA implementation still uses some underlying MbedTLS
functions (including random number generation). To use these
functions however a call to psa_crypto_init() is required.
Extend Matter Python builder with crypto backend options.

Enable ECP optimization.

Signed-off-by: Anna Bridge <[email protected]>
  • Loading branch information
ATmobica authored and pull[bot] committed Jan 29, 2024
1 parent 7860e90 commit 2aa76f6
Show file tree
Hide file tree
Showing 22 changed files with 219 additions and 66 deletions.
1 change: 1 addition & 0 deletions .github/.wordlist.txt
Original file line number Diff line number Diff line change
Expand Up @@ -1072,6 +1072,7 @@ ProxyDiscovery
ProxyValid
ProxyView
PRs
PSA
PSCAN
PSECT
PSK
Expand Down
56 changes: 44 additions & 12 deletions .github/workflows/examples-openiotsdk.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ env:
jobs:
openiotsdk:
name: Open IoT SDK examples building
timeout-minutes: 90
timeout-minutes: 120

env:
TEST_NETWORK_NAME: OIStest
Expand Down Expand Up @@ -97,21 +97,21 @@ jobs:
examples/shell/openiotsdk/build/chip-openiotsdk-shell-example.elf \
/tmp/bloat_reports/
- name: Build lock-app example
id: build_lock_app
- name: Build lock-app example (mbedtls)
id: build_lock_app_mbedtls
timeout-minutes: 10
run: |
scripts/examples/openiotsdk_example.sh lock-app
scripts/examples/openiotsdk_example.sh -b mbedtls lock-app
.environment/pigweed-venv/bin/python3 scripts/tools/memory/gh_sizes.py \
openiotsdk release lock-app \
openiotsdk release lock-app-mbedtls \
examples/lock-app/openiotsdk/build/chip-openiotsdk-lock-app-example.elf \
/tmp/bloat_reports/
- name: Build unit tests
id: build_unit_tests
- name: Build unit tests (mbedtls)
id: build_unit_tests_mbedtls
timeout-minutes: 10
run: |
scripts/examples/openiotsdk_example.sh unit-tests
scripts/examples/openiotsdk_example.sh -b mbedtls unit-tests
- name: "Test: shell example"
if: steps.build_shell.outcome == 'success'
Expand All @@ -120,17 +120,49 @@ jobs:
scripts/run_in_python_env.sh out/venv \
'scripts/examples/openiotsdk_example.sh --no-activate -C test shell'
- name: "Test: lock-app example"
if: steps.build_lock_app.outcome == 'success'
- name: "Test: lock-app example (mbedtls)"
if: steps.build_lock_app_mbedtls.outcome == 'success'
timeout-minutes: 5
run: |
scripts/setup/openiotsdk/network_setup.sh -n $TEST_NETWORK_NAME up
scripts/run_in_python_env.sh out/venv \
'scripts/run_in_ns.sh ${TEST_NETWORK_NAME}ns scripts/examples/openiotsdk_example.sh --no-activate -C test -n ${TEST_NETWORK_NAME}tap lock-app'
scripts/setup/openiotsdk/network_setup.sh -n $TEST_NETWORK_NAME down
- name: "Test: unit-tests"
if: steps.build_unit_tests.outcome == 'success'
- name: "Test: unit-tests (mbedtls)"
if: steps.build_unit_tests_mbedtls.outcome == 'success'
timeout-minutes: 40
run: |
scripts/run_in_python_env.sh out/venv \
'scripts/examples/openiotsdk_example.sh --no-activate -C test unit-tests'
- name: Build lock-app example (psa)
id: build_lock_app_psa
timeout-minutes: 10
run: |
scripts/examples/openiotsdk_example.sh -c -b psa lock-app
.environment/pigweed-venv/bin/python3 scripts/tools/memory/gh_sizes.py \
openiotsdk release lock-app-psa \
examples/lock-app/openiotsdk/build/chip-openiotsdk-lock-app-example.elf \
/tmp/bloat_reports/
- name: Build unit tests (psa)
id: build_unit_tests_psa
timeout-minutes: 10
run: |
scripts/examples/openiotsdk_example.sh -b psa unit-tests
- name: "Test: lock-app example (psa)"
if: steps.build_lock_app_psa.outcome == 'success'
timeout-minutes: 5
run: |
scripts/setup/openiotsdk/network_setup.sh -n $TEST_NETWORK_NAME up
scripts/run_in_python_env.sh out/venv \
'scripts/run_in_ns.sh ${TEST_NETWORK_NAME}ns scripts/examples/openiotsdk_example.sh --no-activate -C test -n ${TEST_NETWORK_NAME}tap lock-app'
scripts/setup/openiotsdk/network_setup.sh -n $TEST_NETWORK_NAME down
- name: "Test: unit-tests (psa)"
if: steps.build_unit_tests_psa.outcome == 'success'
timeout-minutes: 40
run: |
scripts/run_in_python_env.sh out/venv \
Expand Down
9 changes: 9 additions & 0 deletions .vscode/tasks.json
Original file line number Diff line number Diff line change
Expand Up @@ -251,6 +251,7 @@
"-Cbuild",
"-d${input:openiotsdkDebugMode}",
"-l${input:openiotsdkLwipDebug}",
"-b${input:openiotsdkCryptoBackend}",
"${input:openiotsdkExample}"
],
"group": "build",
Expand All @@ -271,6 +272,7 @@
"-Cbuild",
"-d${input:openiotsdkDebugMode}",
"-l${input:openiotsdkLwipDebug}",
"-b${input:openiotsdkCryptoBackend}",
"unit-tests"
],
"group": "build",
Expand Down Expand Up @@ -480,6 +482,13 @@
"options": ["false", "true"],
"default": "false"
},
{
"type": "pickString",
"id": "openiotsdkCryptoBackend",
"description": "Which Crypto algorithm do you wish to use?",
"options": ["mbedtls", "psa"],
"default": "mbedtls"
},
{
"type": "command",
"id": "openiotsdkExample",
Expand Down
1 change: 1 addition & 0 deletions config/openiotsdk/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,7 @@ matter_add_gn_arg_bool ("chip_automation_logging" CONFIG_CHIP_AUTO
matter_add_gn_arg_bool ("chip_error_logging" CONFIG_CHIP_ERROR_LOGGING)
matter_add_gn_arg_bool ("chip_openiotsdk_use_tfm" TFM_SUPPORT)
matter_add_gn_arg_bool ("chip_openiotsdk_use_psa_ps" CONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS)
matter_add_gn_arg_string("chip_crypto" "${CONFIG_CHIP_CRYPTO}")
if (TARGET cmsis-rtos-api)
matter_add_gn_arg_string("target_os" "cmsis-rtos")
endif()
Expand Down
1 change: 0 additions & 1 deletion config/openiotsdk/chip-gn/args.gni
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ chip_system_config_use_lwip = true
lwip_platform = "external"
chip_system_config_use_sockets = false

chip_crypto = "mbedtls"
chip_external_mbedtls = true

custom_toolchain = "${chip_root}/config/openiotsdk/chip-gn/toolchain:openiotsdk"
Expand Down
11 changes: 9 additions & 2 deletions config/openiotsdk/cmake/chip.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@

get_filename_component(GEN_DIR ${CHIP_ROOT}/zzz_generated/ REALPATH)

# Default CHIP build configuration
# Default CHIP build configuration
set(CONFIG_CHIP_PROJECT_CONFIG "main/include/CHIPProjectConfig.h" CACHE STRING "")
set(CONFIG_CHIP_LIB_TESTS NO CACHE BOOL "")
set(CONFIG_CHIP_LIB_SHELL NO CACHE BOOL "")
Expand All @@ -32,6 +32,7 @@ set(CONFIG_CHIP_AUTOMATION_LOGGING YES CACHE BOOL "Enable logging at automation
set(CONFIG_CHIP_ERROR_LOGGING YES CACHE BOOL "Enable logging at error level")

set(CONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS NO CACHE BOOL "Enable using PSA Protected Storage")
set(CONFIG_CHIP_CRYPTO "mbedtls" CACHE STRING "Matter crypto backend. Mbedtls as default")

if(CONFIG_CHIP_OPEN_IOT_SDK_USE_PSA_PS AND NOT TFM_SUPPORT)
message( FATAL_ERROR "You can not use PSA Protected Storage without TF-M support" )
Expand All @@ -53,8 +54,14 @@ if(TFM_SUPPORT)
add_dependencies(chip-gn tfm-ns-interface)
endif()

if ("${CONFIG_CHIP_CRYPTO}" STREQUAL "psa")
target_compile_definitions(chip
INTERFACE
CONFIG_CHIP_CRYPTO_PSA)
endif()

function(chip_add_data_model target scope model_name)
target_include_directories(${target}
target_include_directories(${target}
PUBLIC
${GEN_DIR}/app-common
${GEN_DIR}/${model_name}-app
Expand Down
35 changes: 18 additions & 17 deletions config/openiotsdk/cmake/sdk.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ get_filename_component(OPEN_IOT_SDK_STORAGE_SOURCE ${CHIP_ROOT}/third_party/open
# Open IoT SDK targets passed to CHIP build
list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS)

# Additional Open IoT SDK build configuration
# Additional Open IoT SDK build configuration
set(TFM_SUPPORT NO CACHE BOOL "Add Trusted Firmware-M (TF-M) support to application")
set(TFM_NS_APP_VERSION "0.0.0" CACHE STRING "TF-M non-secure application version (in the x.x.x format)")
set(CONFIG_CHIP_OPEN_IOT_SDK_LWIP_DEBUG NO CACHE BOOL "Enable LwIP debug logs")
Expand Down Expand Up @@ -82,7 +82,7 @@ if(TFM_SUPPORT)
set(TFM_PLATFORM ${OPEN_IOT_SDK_EXAMPLE_COMMON}/tf-m/targets/an552)
set(TFM_PSA_FIRMWARE_UPDATE ON)
set(MCUBOOT_IMAGE_VERSION_NS ${TFM_NS_APP_VERSION})
set(TFM_CMAKE_ARGS "-DCONFIG_TFM_ENABLE_FP=ON;-DTFM_PROFILE=profile_medium;-DTFM_EXCEPTION_INFO_DUMP=ON;-DCONFIG_TFM_HALT_ON_CORE_PANIC=ON;-DTFM_ISOLATION_LEVEL=1")
set(TFM_CMAKE_ARGS "-DCONFIG_TFM_ENABLE_FP=ON;-DTFM_PROFILE=profile_medium;-DTFM_EXCEPTION_INFO_DUMP=ON;-DCONFIG_TFM_HALT_ON_CORE_PANIC=ON;-DTFM_ISOLATION_LEVEL=1;-DTFM_MBEDCRYPTO_PLATFORM_EXTRA_CONFIG_PATH=${OPEN_IOT_SDK_CONFIG}/mbedtls/mbedtls_config_psa.h;-DMBEDCRYPTO_BUILD_TYPE=${CMAKE_BUILD_TYPE};-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}")
if ("${CMAKE_BUILD_TYPE}" STREQUAL "Debug")
set(TFM_CMAKE_ARGS "${TFM_CMAKE_ARGS};-DMCUBOOT_LOG_LEVEL=INFO;-DTFM_SPM_LOG_LEVEL=TFM_SPM_LOG_LEVEL_DEBUG;-DTFM_PARTITION_LOG_LEVEL=TFM_PARTITION_LOG_LEVEL_INFO")
else()
Expand Down Expand Up @@ -117,24 +117,24 @@ endif()
# Add RTOS configuration headers
# Link cmsis-rtos-api against a concrete implementation
if(TARGET cmsis-rtos-api)
target_include_directories(cmsis-core
INTERFACE
target_include_directories(cmsis-core
INTERFACE
cmsis-config
)

target_compile_definitions(cmsis-rtos-api
PUBLIC
DOMAIN_NS=$<IF:$<BOOL:${TFM_SUPPORT}>,1,0>
)

if(TARGET freertos-kernel)
target_include_directories(freertos-kernel
PUBLIC
target_include_directories(freertos-kernel
PUBLIC
freertos-config
)

target_link_libraries(freertos-kernel
PUBLIC
target_link_libraries(freertos-kernel
PUBLIC
cmsis-core
)

Expand Down Expand Up @@ -250,14 +250,6 @@ if("cmsis-freertos" IN_LIST IOTSDK_FETCH_LIST)
)
endif()

if("mbedtls" IN_LIST IOTSDK_FETCH_LIST)
list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS
mbedtls
mbedtls-config
mbedtls-threading-cmsis-rtos
)
endif()

if("lwip" IN_LIST IOTSDK_FETCH_LIST)
list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS
lwipcore
Expand All @@ -282,6 +274,15 @@ if("trusted-firmware-m" IN_LIST IOTSDK_FETCH_LIST)
)
endif()

# Note: Mbed TLS must appear after TF-M otherwise psa from mbed TLS is used
if("mbedtls" IN_LIST IOTSDK_FETCH_LIST)
list(APPEND CONFIG_CHIP_EXTERNAL_TARGETS
mbedtls
mbedtls-config
mbedtls-threading-cmsis-rtos
)
endif()

# Additional Open IoT SDK port components

# Add Open IoT SDK storage source
Expand Down
5 changes: 5 additions & 0 deletions config/openiotsdk/lwip/user_lwipopts.h
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,11 @@
*/
#define LWIP_RAW (1)

/**
* Disable DHCP as the IP6 link local address can be used.
*/
#define LWIP_DHCP 0

#ifdef LWIP_DEBUG

// Debug Options
Expand Down
6 changes: 3 additions & 3 deletions config/openiotsdk/mbedtls/mbedtls_config.h
Original file line number Diff line number Diff line change
Expand Up @@ -2692,7 +2692,7 @@
* or MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
*
*/
#define MBEDTLS_PSA_CRYPTO_C
//#define MBEDTLS_PSA_CRYPTO_C

/**
* \def MBEDTLS_PSA_CRYPTO_SE_C
Expand Down Expand Up @@ -3313,8 +3313,8 @@
//#define MBEDTLS_HMAC_DRBG_MAX_SEED_INPUT 384 /**< Maximum size of (re)seed buffer */

/* ECP options */
//#define MBEDTLS_ECP_WINDOW_SIZE 4 /**< Maximum window size used */
//#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */
#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */

/* Entropy options */
//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */
Expand Down
6 changes: 6 additions & 0 deletions config/openiotsdk/mbedtls/mbedtls_config_psa.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

#define MBEDTLS_SHA1_C
#define PSA_WANT_ALG_SHA_1
#define MBEDTLS_ECP_WINDOW_SIZE 6 /**< Maximum window size used */
#undef MBEDTLS_ECP_FIXED_POINT_OPTIM
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */
Loading

0 comments on commit 2aa76f6

Please sign in to comment.